Analysis Date2015-10-31 16:59:50
MD50462ab365edd388a28128b5d66b4c308
SHA15014cb76ce73039af19d2e426e71c2e80398466a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a67442de6ecbca97afd0287233967084 sha1: e9760fb3b9e9caaaa350a2217206c2459fcb77e8 size: 1084416
Section.rdata md5: 90090b2fe41012cfa2eae1d21704ea39 sha1: 41ebde0f54021acbe37e2b921ee9a2c86c01d9ee size: 316928
Section.data md5: 2cad55b9eb8127f017b9fe89b99a4e19 sha1: 952e13fdc390d9bde9b58a26c59c950b404bf3f1 size: 10752
Section.reloc md5: 31b3d7cd16cedb098022a1084543f2a0 sha1: 431b3ba92e33d57d4fb861d050055299a02bf2a1 size: 69632
Timestamp2015-04-30 20:52:01
PackerMicrosoft Visual C++ 8
PEhashda8e80df74d9050358e06fafe37e1694eb0d439a
IMPhash32997e0e767ce2e732e4a89e9d093b45
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.606112
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.606112
AVFortinetW32/Generic.R!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Generic36.CIRX
AVEset (nod32)Win32/Bayrob.R
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.606112
AVTwisterno_virus
AVAvira (antivir)TR/Boryab.aiez
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yewixbmo1m8so5fb4xadv0yk.exe
Creates FileC:\WINDOWS\system32\iymmdsicnim\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\yewixbmo1m8so5fb4xadv0yk.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yewixbmo1m8so5fb4xadv0yk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Bluetooth WWAN Center List TCP/IP Call ➝
C:\WINDOWS\system32\llunkqdlrhh.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\iymmdsicnim\lck
Creates FileC:\WINDOWS\system32\llunkqdlrhh.exe
Creates FileC:\WINDOWS\system32\iymmdsicnim\tst
Creates FileC:\WINDOWS\system32\iymmdsicnim\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\llunkqdlrhh.exe
Creates ServiceMicrosoft Manager SPP Machine - C:\WINDOWS\system32\llunkqdlrhh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\llunkqdlrhh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\iymmdsicnim\rng
Creates FileC:\WINDOWS\system32\iymmdsicnim\lck
Creates FileC:\WINDOWS\system32\kdigjrbwv.exe
Creates FileC:\WINDOWS\TEMP\yewixbmo1tp0o5fb4.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\iymmdsicnim\run
Creates FileC:\WINDOWS\system32\iymmdsicnim\tst
Creates FileC:\WINDOWS\system32\iymmdsicnim\cfg
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\llunkqdlrhh.exe"
Creates ProcessC:\WINDOWS\TEMP\yewixbmo1tp0o5fb4.exe -r 47632 tcp

Process
↳ C:\WINDOWS\system32\llunkqdlrhh.exe

Creates FileC:\WINDOWS\system32\iymmdsicnim\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\llunkqdlrhh.exe"

Creates FileC:\WINDOWS\system32\iymmdsicnim\tst

Process
↳ C:\WINDOWS\TEMP\yewixbmo1tp0o5fb4.exe -r 47632 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSableread.net
Type: A
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
DNSstrangedistant.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=4a6eec00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80

Raw Pcap

Strings